b'ECONOMIC\nDEVELOPMENT\nADMINISTRATION\nMalware Infections\non EDA\xe2\x80\x99s Systems\nWere Overstated\nand the Disruption\nof IT Operations\nWas Unwarranted\n\nFINAL REPORT NO. OIG-13-027-A\nJUNE 26, 2013\n\n\n\nU.S. Department of Commerce\nOffice of Inspector General\nOffice of Audit and Evaluation\n\nFOR PUBLIC RELEASE\n\x0c                                                        UNITED STATES DEPARTMENT OF COMMERCE\n                                                        Office of Inspector General\n                                                        Washington, D.C. 20230\n\n\n\n\nJune 26, 20 13\n\nMEMORANDUM FOR:               Matthew Erskine\n                              Deputy Assistant Secretary of Commerce\n                               for Economic Development\n                              Economic Development Administration\n\n                              Simon Szykman\n                              Chief Information ~                   r~\n\nFROM:                        Allen Crawley                         G   A\n                             Assistant Inspector General for Systems Acquisition\n                              and IT Security\n\nSUBJECT:                     Malware Infections on EDA\'s Systems Were Overstated\n                              and the Disruption of IT Operations Was Unwarranted\n                              Final Report No. OIG-13-027-A\n\nAttached is the final report of our audit of EDA\'s information security program and cyber\nincident response. In accordance with the Federal Information Security Management Act, we\nevaluated EDA\'s incident response and recovery activities in relation to EDA\'s fiscal year 20 12\ncyber incident. We (I) assessed the effectiveness of EDA\'s IT security program, (2) determined\nthe significant factors that contributed to its incident, and (3) evaluated both completed and\nplanned activities to recover its information systems to support critical operational\nrequirements.\n\nWe found (I) EDA based its critical incident response decisions on inaccurate information, (2)\ndeficiencies in the Department\'s incident response program impeded EDA\'s incid~nt response,\nand (3) misdirected planning efforts hindered EDA\'s IT system recovery.\n\nIn response to the draft audit report, EDA and the CIO concurred w ith all of our\nrecommendations. We summarized the responses in the report and included the full response\nin the appendixes. We will post this report on the OIG website pursuant to section 8L of the\nInspector General Act of 1978, as amended.\n\nUnder Department Administrative Order 213-5, you have 60 calendar days from the date of\nthis memorandum to submit an audit action plan to us. The plan should outline actions you\npropose to take to address each recommendation.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during our audit.\nPlease direct any inquiries regarding this report to me at (202) 482-1855 and refer to the\nreport title in all correspondence.\n\x0cAttachment\n\ncc: \t   Thomas Guevara, Deputy Assistant Secretary for Regional Affairs, EDA\n        Rod Turk, Director, O ffice of Cyber Security, and Chief Information Security Officer\n        Chuck Benjamin, Chief Information Officer, EDA\n        Deborah Neff, Audit liaison, EDA\n        Cara Huang, Audit Liaison, Office of the Chief Information Officer\n\x0c                                                       Report In Brief                                               JUNE 26, 2013\n\n\n\n                                                  ECONOMIC DEVELOPMENT ADMINISTRATION\nBackground\nThe Economic Development Admin-\n                                                  Malware Infections on EDA\xe2\x80\x99s Systems Were Overstated\nistration\xe2\x80\x99s (EDA\xe2\x80\x99s) mission is to lead            and the Disruption of IT Operations Was Unwarranted\nthe federal economic development\nagenda by promoting innovation and                OIG-13-027-A\ncompetitiveness, thus preparing Ameri-\ncan regions for growth and success in             WHAT WE FOUND\nthe worldwide economy. To fulfill its\nmission, EDA uses six regional offices            Reviewing EDA\xe2\x80\x99s IT security program and the events surrounding its December 2011 cyber\nto provide services specific to each              incident and recovery efforts, we found that:\nregion\xe2\x80\x99s needs.\n                                                    EDA Based Its Critical Cyber-Incident Response Decisions on Inaccurate Information. Believing\nIn accordance with the Federal Infor-               (a) the incident resulted in a widespread malware infection possibly propagating within its\nmation Security Management Act of 2002              systems and (b) its widespread malware infection could spread to other bureaus if its IT\n(FISMA), we evaluated EDA\xe2\x80\x99s incident                systems remained connected to the network, EDA decided to isolate its IT systems from\nresponse and recovery activities in relation        the HCHB network and destroy IT components to ensure that a potential infection could\nto EDA\xe2\x80\x99s fiscal year 2012 cyber incident.           not persist. However, OIG found neither evidence of a widespread malware infection nor\n                                                    support for EDA\xe2\x80\x99s decision to isolate its IT systems from the HCHB network.\nWhy We Did This Review\n                                                    Deficiencies in the Department\xe2\x80\x99s Incident Response Program Impeded EDA\xe2\x80\x99s Incident Response.\nOn December 6, 2011, the Department                 These deficiencies significantly contributed to EDA\xe2\x80\x99s inaccurate belief that it experienced a\nof Homeland Security (DHS) notified the             widespread malware infection. Consequently, the Department of Commerce Computer\nDepartment of Commerce that it detect-\n                                                    Incident Response Team (DOC CIRT) and EDA propagated inaccurate information that\ned a potential malware infection within\n                                                    went unidentified for months after EDA\xe2\x80\x99s incident. We found that DOC CIRT\xe2\x80\x99s incident\nthe Department\xe2\x80\x99s systems. The Depart-\nment determined the infected compo-                 handlers did not follow the Department\xe2\x80\x99s incident response procedures, that its handler for\nnents resided within IT systems operat-             EDA\xe2\x80\x99s incident did not have the requisite experience or qualifications, and that DOC CIRT\ning on the Herbert C. Hoover Building               did not adequately coordinate incident response activities.\n(HCHB) network and informed EDA and                 Misdirected Efforts Hindered EDA\xe2\x80\x99s IT System Recovery. With its incorrect interpretation of\nanother agency of a potential infection in\n                                                    recovery recommendations, EDA focused its recovery efforts on replacing its IT\ntheir IT systems.\n                                                    infrastructure and redesigning its business applications. EDA should have concentrated its\nOn January 24, 2012\xe2\x80\x94believing it had a              resources on quickly and fully recovering its IT systems (e.g., critical business applications) to\nwidespread malware infection\xe2\x80\x94EDA                    ensure its operational capabilities. Our review of EDA\xe2\x80\x99s recovery activities found that\nrequested the Department isolate its IT             (a) EDA decided to replace its entire IT infrastructure based on its incorrect interpretation\nsystems from the HCHB network. This                 of recovery recommendations and (b) EDA\xe2\x80\x99s recovery efforts were unnecessary.\naction resulted in the termination of\nEDA\xe2\x80\x99s operational capabilities for enter-         The Department, using already existing shared IT services, returned EDA\xe2\x80\x99s systems to their\nprise e-mail and Web site access, as well as      former operational capabilities (except for access to another Departmental agency\xe2\x80\x99s financial\nregional office access to database applications   system) in just over 5 weeks of starting its effort.\nand information residing on servers connect-\ned to the HCHB network.                           WHAT WE RECOMMEND\nGiven the Department\xe2\x80\x99s limited incident           We recommend that the Deputy Assistant Secretary for EDA:\nresponse capabilities and the perceived\nextent of the malware infection, the                1. \t Identify EDA\xe2\x80\x99s areas of IT responsibility and ensure the implementation of required \n\nDepartment and EDA decided to aug-                       security measures.\n\nment the Department\xe2\x80\x99s incident re-                  2. \t Determine whether EDA can reduce its IT budget and staff expenditures, through the\nsponse team. Additional incident re-                     increased efficiencies of EDA\xe2\x80\x99s involvement in the Department\xe2\x80\x99s shared services.\nsponse support was provided by DHS,\nthe Department of Energy, the National              3. \t Ensure that EDA does not destroy additional IT inventory that was taken out of service\nInstitute of Standards and Technology,                   as a result of this cyber incident.\nand the National Security Agency, as well\n                                                  We recommend that the Department\xe2\x80\x99s Chief Information Officer:\nas a cybersecurity contractor. In early\nFebruary 2012, EDA entered into an                  1. \t Ensure DOC CIRT can appropriately and effectively respond to future cyber incidents.\nagreement with the Census Bureau to\n                                                    2. \t Ensure incident response procedures clearly define DOC CIRT as the incident response\nprovide an interim e-mail capability, In-\nternet access to EDA staff, and Census                   coordinator for the bureaus relying on DOC CIRT\xe2\x80\x99s incident response services.\nBureau surplus laptops for EDA staff.               3. \t Ensure that DOC CIRT management has proper oversight and involvement in cyber\n                                                         incidents to ensure that required incident response activities take place.\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                                                 OFFICE OF INSPECTOR GENERAL\n\n\nContents \n\nIntroduction .......................................................................................................................................................1\n\xc2\xa0\nFindings and Recommendations ....................................................................................................................3\n\xc2\xa0\n   I.\t\xc2\xa0 EDA Based Its Critical Cyber-Incident Response Decisions on Inaccurate Information .....3\n\xc2\xa0\n       A.\t\xc2\xa0 Inaccurate Analysis and a Misunderstanding Caused EDA\xe2\x80\x99s Perception of a \n\n            Widespread Malware Infection.....................................................................................................4\n\xc2\xa0\n       B.\t\xc2\xa0 EDA\xe2\x80\x99s Belief That Its Malware Infection Was Spreading Heavily Influenced Its \n\n            Decision to Isolate Its IT Systems................................................................................................6\n\xc2\xa0\n       C.\t\xc2\xa0 EDA\xe2\x80\x99s Severely Deficient IT Security Program Gave Credibility to the Purported \n\n            Widespread Malware Infection.....................................................................................................7\n\xc2\xa0\n       D.\t\xc2\xa0 EDA Sought Validation of a Sophisticated Cyber Attack .......................................................9\n\xc2\xa0\n       E.\t\xc2\xa0 External Incident Responders Found No Evidence of a Widespread Malware \n\n            Infection or Extremely Persistent Malware ...............................................................................9\n\xc2\xa0\n       Conclusion .............................................................................................................................................. 10\n\xc2\xa0\n   II.\t\xc2\xa0 Deficiencies in the Department\xe2\x80\x99s Incident Response Program Impeded EDA\xe2\x80\x99s \n\n         Incident Response .............................................................................................................................. 11\n\xc2\xa0\n       A.\t\xc2\xa0 DOC CIRT Did Not Follow Incident Response Procedures ............................................. 12\n\xc2\xa0\n       B.\t\xc2\xa0 DOC CIRT\xe2\x80\x99s Inexperienced Staff Hindered EDA\xe2\x80\x99s Incident Response ........................... 13\n\xc2\xa0\n       C.\xc2\xa0 DOC CIRT Did Not Adequately Coordinate EDA\xe2\x80\x99s Incident Response Activities...... 13\n\xc2\xa0\n       Conclusion .............................................................................................................................................. 14\n\xc2\xa0\n   III.\t\xc2\xa0 Misdirected Efforts Hindered EDA\xe2\x80\x99s IT System Recovery ....................................................... 14\n\xc2\xa0\n       A.\t\xc2\xa0 EDA Acted on Its Incorrect Interpretation of Recovery Recommendations ................. 14\n\xc2\xa0\n       B.\t\xc2\xa0 EDA\xe2\x80\x99s Recovery Efforts Were Unnecessary .......................................................................... 15\n\xc2\xa0\n       Conclusion .............................................................................................................................................. 16\n\xc2\xa0\nRecommendations ............................................................................................................................................ 17\n\xc2\xa0\nSummary of Agency and Departmental Responses and OIG Comments ........................................ 18\n\xc2\xa0\nAppendix A: Objectives, Scope, and Methodology ................................................................................ 19\n\xc2\xa0\nAppendix B: Detailed Timeline of EDA\xe2\x80\x99s Cyber Incident Response and Recovery ....................... 21\n\xc2\xa0\nAppendix C: Agency Response................................................................................................................... 24\n\xc2\xa0\nAppendix D: Departmental Response ...................................................................................................... 28\n\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-13-027-A\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                             OFFICE OF INSPECTOR GENERAL\n\n\nIntroduction\nThe Economic Development Administration\xe2\x80\x99s (EDA\xe2\x80\x99s) mission is to lead the federal economic\ndevelopment agenda by promoting innovation and competitiveness, thus preparing American\nregions for growth and success in the worldwide economy. To fulfill its mission, EDA uses six\nregional offices1 to provide services specific to each region\xe2\x80\x99s needs.\n\nOn December 6, 2011, the U.S. Computer Emergency Response Team (US-CERT)\xe2\x80\x94a part of\nthe Department of Homeland Security (DHS)\xe2\x80\x94notified the Department of Commerce\nComputer Incident Response Team (DOC CIRT2) that it detected a potential malware\ninfection3 within the Department\xe2\x80\x99s systems. DOC CIRT determined the infected components\nresided within IT systems operating on the Herbert C. Hoover Building (HCHB) network.\nAccordingly, DOC CIRT informed EDA and the National Oceanic and Atmospheric\nAdministration (NOAA) of a potential infection in their IT systems. NOAA\xe2\x80\x99s Computer\nIncident Response Team analyzed the information provided by DOC CIRT and identified the\ninfected component. NOAA remediated the malware infection and placed the remediated\ncomponent back into operation by January 12, 2012.\n\nBy contrast, on January 24, 2012\xe2\x80\x94believing it had a widespread malware infection\xe2\x80\x94EDA\nrequested the Department isolate its IT systems from the HCHB network. This action resulted\nin the termination of EDA\xe2\x80\x99s operational capabilities for enterprise e-mail and Web site access,\nand regional office access to database applications and information residing on servers\nconnected to the HCHB network.\n\nGiven DOC CIRT\xe2\x80\x99s limited incident response capabilities and the perceived extent of the\nmalware infection, the Department and EDA decided to augment the DOC CIRT\xe2\x80\x99s incident\nresponse team. Additional incident response support was provided by US-CERT, the\nDepartment of Energy (DOE) Computer Incident Response Team, the National Institute of\nStandards and Technology (NIST) Security Implementation and Incident Response Team, and\nthe National Security Agency (NSA). In addition, EDA retained the services of a cybersecurity\ncontractor.\n\nIn early February 2012, EDA entered into an agreement with the Census Bureau to provide an\ninterim e-mail capability, Internet access to EDA staff, and Census Bureau surplus laptops for\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n1\n  Regional offices are located in Atlanta, GA; Austin, TX; Chicago, IL; Denver, CO; Philadelphia, PA; and Seattle,\nWA.\n2\n  The DOC CIRT provides computer incident response support to most of the Department\xe2\x80\x99s operating units that\nuse the Herbert C. Hoover Building network\xe2\x80\x94an Office of the Chief Information Officer-managed infrastructure\nthat many of the bureaus, like EDA, connect to for Department services, Internet connectivity, and communication\ninfrastructure support for internal system operation. Incident response services include interfacing with and\nreporting incidents to and from the US-CERT, performing malware analysis, interfacing with the Department\xe2\x80\x99s\nnetwork and security operations centers to coordinate changes in network configuration or monitoring resulting\nfrom an incident, and providing remediation guidance.\n3\n  Malware is software used by attackers to disrupt computer operation, gather sensitive information, or gain access\nto computer systems. In EDA\xe2\x80\x99s incident, the notification indicated the presence of fake antivirus (FakeAV)\nsoftware, which deceives a user into executing an application masquerading as antivirus or a malware removal tool.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                     1\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                            OFFICE OF INSPECTOR GENERAL\n\nEDA staff. See appendix B for a detailed timeline of events for EDA\xe2\x80\x99s cyber-incident response\nand recovery.\n\nIn accordance with FISMA,4 we evaluated EDA\xe2\x80\x99s incident response and recovery activities in\nrelation to EDA\xe2\x80\x99s fiscal year (FY) 2012 cyber incident. We (1) assessed the effectiveness of\nEDA\xe2\x80\x99s IT security program, (2) determined the significant factors that contributed to the\nincident, and (3) evaluated both completed and planned activities to recover its information\nsystems to support critical operational requirements. See appendix A for details regarding our\nobjectives, scope, and methodology.\n\n\n\xc2\xa0\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n4\n  The Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C \xc2\xa7 3541 (2002), et seq., requires\nagencies to secure systems through the use of cost-effective management, operational, and technical controls. The\nstatute\xe2\x80\x99s goal is to provide adequate security commensurate with the risk and extent of harm resulting from the\nloss, misuse, or unauthorized access to or modification of information collected or maintained by or on behalf of\nan agency. In addition, FISMA requires inspectors general to evaluate agencies\xe2\x80\x99 information security programs and\npractices by assessing a representative subset of agency systems, and results are reported to the Office of\nManagement and Budget, the Department of Homeland Security, and Congress annually.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                       2\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                               OFFICE OF INSPECTOR GENERAL\n\n\nFindings and Recommendations \n\nAs part of our annual FISMA work, we reviewed EDA\xe2\x80\x99s IT security program and the events\nsurrounding its December 2011 cyber incident and recovery efforts. We found that (1) EDA\nmade key incident response and recovery decisions with inaccurate information, (2) DOC\nCIRT\xe2\x80\x99s insufficient incident response efforts degraded the quality of EDA\xe2\x80\x99s incident response,\nand (3) EDA\xe2\x80\x99s misdirected efforts hindered the recovery of its IT systems.\n\n    I.\t       EDA Based Its Critical Cyber-Incident Response Decisions on Inaccurate\n              Information\n\n       EDA believed the incident resulted in a widespread malware infection that was possibly\n       propagating within its systems. Furthermore, EDA believed that its widespread malware\n       infection could spread to other bureaus if its IT systems remained connected to the\n       network, so EDA decided to isolate its IT systems from the HCHB network.\n\n       OIG found no evidence to support EDA\xe2\x80\x99s beliefs. Specifically, we found no evidence of a\n       widespread malware infection. Further, we found no evidence to support EDA\xe2\x80\x99s decision to\n       isolate its IT systems from the HCHB network.\n\n       The perception of a widespread malware infection and EDA\xe2\x80\x99s incident response decisions\n       are attributable to several factors:\n           \xef\x82\xb7\t DOC CIRT\xe2\x80\x99s inaccurate analysis and a misunderstanding caused EDA\xe2\x80\x99s perception of a\n              widespread malware infection.\n           \xef\x82\xb7\t EDA believed that the malware infection would spread to other bureaus on the\n              HCHB network.\n           \xef\x82\xb7\t Serious long-standing deficiencies in EDA\xe2\x80\x99s IT security program gave credence to\n              EDA\xe2\x80\x99s belief that it experienced a widespread malware infection.\n\n           \xef\x82\xb7\t EDA\xe2\x80\x99s belief in its widespread malware infection led it to seek validation of a\n              sophisticated cyber attack.5\n\n           \xef\x82\xb7\t EDA based its recovery decisions on its belief that it faced a widespread malware\n              infection that included extremely persistent malware.6\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n5\n  A sophisticated cyber attack typically involves the use of attack techniques, such as exploiting previously unknown\nvulnerabilities, to successfully compromise a component.\n\n6\n  Extremely persistent malware cannot be eradicated by reimaging the infected system\xe2\x80\x99s hard drive (e.g., malware that\n\ninfects a device\xe2\x80\x99s firmware in order for the infection to persist).\n\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                       3\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                               OFFICE OF INSPECTOR GENERAL\n\n       A.\t Inaccurate Analysis and a Misunderstanding Caused EDA\xe2\x80\x99s Perception of a Widespread\n           Malware Infection\n\n              EDA believed that a cyber attack resulted in an extensive malware infection affecting\n              over half of its components.7 This belief originated on the first day of incident response\n              activities when DOC CIRT sent EDA inaccurate information concerning the extent of\n              the malware infection, which overstated the number of components involved.\n              Additionally, EDA misunderstood DOC CIRT\xe2\x80\x99s follow-up communications, which\n              accurately described the limited extent of the infection. Even though additional\n              communications occurred between DOC CIRT and EDA, each organization continued\n              to have a different understanding of the extent of the malware infection.\n\n                      DOC CIRT\xe2\x80\x99s first incident notification was misleading. On December 6, 2011,\n                      US-CERT alerted DOC CIRT to suspicious activity, which involved EDA\xe2\x80\x99s systems,\n                      on the HCHB network. In an effort to identify infected components, DOC CIRT\xe2\x80\x99s\n                      incident handler requested network logging information. However, the incident\n                      handler unknowingly requested the wrong network logging information (see finding\n                      II, subfinding B, for more information on the incident handler). Consequently, on\n                      December 7, 2011, DOC CIRT sent an e-mail incident notification to EDA (in\n                      response to US-CERT\xe2\x80\x99s alert) that inaccurately described the extent of the potential\n                      malware infection. Instead of providing EDA a list of potentially infected\n                      components, the incident handler mistakenly provided EDA a list of 146\n                      components8 within its network boundary. Accordingly, EDA believed it faced a\n                      substantial malware infection.\n\n                      DOC CIRT\xe2\x80\x99s mistake resulted in a second incident notification. Early on\n                      December 8, 2011, an HCHB network staff member informed DOC CIRT that the\n                      incident handler\xe2\x80\x99s request for network logging information did not identify the\n                      infected components. Rather, the response merely identified EDA components\n                      residing on a portion of the HCHB network (i.e., the listing of 146 components\n                      initially provided to EDA). The HCHB network staff member then performed the\n                      appropriate analysis identifying only two components exhibiting the malicious\n                      behavior in US-CERT\xe2\x80\x99s alert. With this new information, DOC CIRT sent EDA a\n                      second e-mail incident notification.\n\n                      DOC CIRT\xe2\x80\x99s second incident notification was vague. DOC CIRT\xe2\x80\x99s second\n                      incident notification did not clearly explain that the first incident notification was\n                      inaccurate. As a result, EDA continued to believe a widespread malware infection\n                      was affecting its systems. Specifically, the second incident notification\n\n                         \xef\x82\xb7\t Began by stating the information previously provided about the incident was correct.\n                            EDA interpreted the statement as confirmation of the first incident\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n7\n EDA\xe2\x80\x99s IT system was comprised of approximately 250 IT components (e.g., desktops, laptops, and servers).\n8\n The first incident notification contained an attachment with 146 distinct potentially infected components. DOC\nCIRT, EDA, and external incident responders reported numbers ranging from 142 to 148 components, but the\naccurate count from the incident notification is 146 components.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                      4\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                               OFFICE OF INSPECTOR GENERAL\n\n                                 notification, when DOC CIRT\xe2\x80\x99s incident handler simply meant to confirm EDA\n                                 was the agency identified in US-CERT\xe2\x80\x99s alert. Nowhere in the notification or\n                                 attachment does the DOC CIRT incident handler identify that there was a\n                                 mistake or change to the previously provided information.\n                         \xef\x82\xb7\t Contained an attachment name that further obscured any clarification. Although the\n                            incident notification\xe2\x80\x99s attachment correctly identified only 2 components\n                            exhibiting suspicious behavior\xe2\x80\x94not the 146 components that DOC CIRT\n                            initially identified\xe2\x80\x94the name of the second incident notification\xe2\x80\x99s attachment\n                            exactly matched the first incident notification\xe2\x80\x99s attachment, obscuring the\n                            clarification.\n\n                      DOC CIRT and EDA\xe2\x80\x99s misunderstanding continued. Over the next 5 weeks,\n                      additional communications occurred between DOC CIRT and EDA. However, each\n                      organization continued to have a different understanding of the extent of the\n                      malware infection. DOC CIRT believed the incident affected only two components,\n                      whereas EDA believed the incident affected more than half of its components.\n                      Several factors contributed to these different interpretations:\n                         \xef\x82\xb7\t DOC CIRT assumed EDA understood that its second incident notification\n                            superseded the first incident notification and that there were only 2 potentially\n                            infected components\xe2\x80\x94not 146. However, DOC CIRT did not follow up to\n                            establish whether EDA understood the new information.\n                         \xef\x82\xb7\t EDA responded to the second incident notification by providing a sample of\n                            two components (on the list identified in the first incident notification and that\n                            were exhibiting malicious behavior) for forensic analysis. DOC CIRT believed\n                            the sample to be the same two components identified in the second incident\n                            notification.\n                         \xef\x82\xb7\t When DOC CIRT confirmed that the sample of 2 components was infected\n                            with malware, EDA believed that DOC CIRT had confirmed the malware\n                            infection for all 146 components listed in the first incident notification.\n                         \xef\x82\xb7\t DOC CIRT did not retain the first incident notification showing 146\n                            components or document initial incident response activities. Therefore, when\n                            DOC CIRT management became involved in the incident response activities,\n                            they could not see that a misunderstanding had occurred.\n              When DOC CIRT asked EDA to carry out typical containment measures (reimaging9\n              the infected components), EDA informed DOC CIRT there were too many\n              components involved making typical containment measures unfeasible. DOC CIRT\n              assumed EDA performed an independent analysis to identify additional infected\n              components (even though EDA lacked the necessary capabilities) and assumed EDA was\n              now dealing with a widespread malware infection. Likewise, EDA assumed DOC CIRT\n              was aware of the incident\xe2\x80\x99s magnitude, given that DOC CIRT provided the list of\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n9\n Reimaging is the process of reinstalling the operating system and applications on a hard drive, as well as restoring\nthe necessary information from known good backups.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                           5\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                            OFFICE OF INSPECTOR GENERAL\n\n              infected components in its first incident notification. Now, EDA and DOC CIRT were\n              operating with the same\xe2\x80\x94albeit inaccurate\xe2\x80\x94belief.\n\n              Unfortunately, both organizations continued to propagate the inaccurate information\n              (the basis for the widespread malware infection) during the incident response activities.\n              DOC CIRT\xe2\x80\x99s representation of the extent of the malware infection was accepted by\n              DHS and not independently validated in its draft report. DHS\xe2\x80\x99s draft report stated,\n              \xe2\x80\x9cover 143 systems infected with common fake anti-virus\xe2\x80\x9d and \xe2\x80\x9c50 percent of EDA\xe2\x80\x99s\n              network is infected,\xe2\x80\x9d10 which portrayed a widespread malware infection. The NSA\n              report stated that \xe2\x80\x9cthe EDA network was extremely inundated with malware\xe2\x80\x9d and \xe2\x80\x9cthe\n              extent of the compromise and the state of the overly infected network will make it very\n              difficult to deconflict the vast amount of indicators.\xe2\x80\x9d11 NSA did not independently verify\n              incident information, but it presented similar information to that presented by DHS as\n              fact. As a result, EDA believed these incident reports12 supported its conclusion\n              regarding the extent of the malware infection.\n\n              The misunderstanding went undetected by EDA until December 18, 2012\xe2\x80\x94and by the\n              Department until December 19, 2012\xe2\x80\x94when OIG completed its validation of events\n              and informed both organizations of its initial conclusions.\n\n       B.\t EDA\xe2\x80\x99s Belief That Its Malware Infection Was Spreading Heavily Influenced Its Decision to\n           Isolate Its IT Systems\n\n              On January 24, 2012, EDA, at the recommendation of EDA\xe2\x80\x99s current chief information\n              officer (CIO), decided to isolate EDA\xe2\x80\x99s IT systems from the HCHB network. EDA\xe2\x80\x99s\n              CIO believed that (1) EDA experienced a widespread malware infection, (2) the\n              malware infection was spreading within EDA\xe2\x80\x99s IT systems, and (3) the malware infection\n              could spread to other bureaus residing on the HCHB network. Specifically, EDA\xe2\x80\x99s CIO\n              believed that an antivirus scan of EDA\xe2\x80\x99s primary e-mail server indicated multiple\n              malware infections and the malware infection could propagate to other bureaus on the\n              HCHB network. However, we found no evidence to support these beliefs. Specifically,\n\n                  \xef\x82\xb7\t There was no widespread malware infection. EDA based its conclusion on inaccurate\n                     information (see finding 1, subfinding A).\n\n                  \xef\x82\xb7\t There was no indication of an infection in the e-mail server. Our analysis of the e-mail\n                     server\xe2\x80\x99s antivirus logs showed that the antivirus software was up-to-date (e.g., with\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n10\n   U.S. Department of Homeland Security, National Cyber Security Division, February 7, 2012. Strategic Remediation\nStrategy for Department of Commerce/Economic Development Administration, Draft Version 1.0. Washington, DC: DHS\nNational Cyber Security Division, 1. DHS did not issue a final version of its report.\n11\n   National Security Agency, Computer Network Operations Countermeasures Division, Information Assurance\nDirectorate, May 15, 2012. IAD Intrusion Response of Department of Commerce Economic Development Administration,\nI3331-004R-2012. Ft. Meade, MD: NSA, 4.\n12\n   NIST did not issue an incident response report. DOE\xe2\x80\x99s incident report addressed the results of an assessment\non one component\xe2\x80\x94analysis indicated trace evidence of an attempted infection but no extremely persistent\nmalware\xe2\x80\x94not the incident as a whole.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                    6\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                              OFFICE OF INSPECTOR GENERAL\n\n                         the most current software version and latest malware definitions), was scanning\n                         weekly, and had not identified any malware. Not only was EDA\xe2\x80\x99s CIO unable to\n                         substantiate his assertion with credible evidence, EDA\xe2\x80\x99s IT staff did not support\n                         the assertion of an infection in the e-mail server.\n\n                  \xef\x82\xb7\t The e-mail server did not pose an increased risk. EDA\xe2\x80\x99s outbound e-mail traffic does\n                     not pass through any other e-mail systems before reaching the Internet; therefore,\n                     the infection would not have spread the way EDA\xe2\x80\x99s CIO believed. Further, e-mail\n                     traffic in general does not pose a risk to an e-mail server, as infected e-mail\n                     attachments typically require user interaction. Additionally, the Department has\n                     security measures to address infected e-mail attachments. Thus, EDA\xe2\x80\x99s e-mail\n                     server did not pose an increased risk, even if it had been infected.\n\n       C.\t EDA\xe2\x80\x99s Severely Deficient IT Security Program Gave Credibility to the Purported Widespread\n           Malware Infection\n\n              Since 2006, OIG has identified significant deficiencies in EDA\xe2\x80\x99s IT security program.\n              NSA\xe2\x80\x99s 2009 review13 further emphasized these deficiencies with the discovery of\n              multiple common malware14 infections. We reviewed EDA\xe2\x80\x99s IT security program after\n              its incident and found that many of the deficiencies identified in past reviews remained\n              unremediated for more than 4 years (see table 1 below for examples of deficient\n              security measures).\n\n\xc2\xa0\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n13\n  In 2009, NSA reviewed security measure implementations on IT systems operating on the HCHB network.\n14\n  Common malware (e.g., spyware, virus, or Trojans), although typically malicious and potentially harmful, can be\nremoved using common cleaning tools and processes (e.g., reimaging).\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                       7\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                    OFFICE OF INSPECTOR GENERAL\n\n                 Table 1. Examples of EDA\xe2\x80\x99s Long-Standing Security Deficiencies\n                                                                                                            Deficiencies\n                                                                                                            Identified In\n          Security\n                                           Definition                          Significance                   OIG and\n          Measure\n                                                                                                               NSA\n                                                                                                              Reviewsa\n                                                                      Without effective secure\n                                                                      configurations, an organization\n                                The processes an organization         will not effectively limit            2006, 2009,\n                                uses to define how to secure its IT   unauthorized use of its               2010, 2012: EDA\n          Secure                products (e.g., operating systems,    components. Securely                  had not defined\n          Configurations        databases, and web applications)\xe2\x80\x94     configuring IT products is a          or implemented\n                                limiting the functions of a           fundamental and critical security     this security\n                                component to minimal operations       measure (one of DHS\xe2\x80\x99s and             measure.\n                                                                      NSA\xe2\x80\x99s key recovery\n                                                                      recommendations to EDA).\n                                                                                                            2009, 2010,\n                                                                      Without effective patch\n                                                                                                            2012: EDA did\n                                The processes an organization         management, vulnerabilities can\n                                                                                                            not reliably\n          Patch                 uses to track and correct software    remain unremediated, leaving\n                                                                                                            trackb or correct\n          Management            (e.g., operating system and           components vulnerable to\n                                                                                                            vulnerabilities\n                                application) vulnerabilities          compromise and information\n                                                                                                            (some for many\n                                                                      less secure.\n                                                                                                            years).\n                                                                      Without effective auditing and\n                                                                      monitoring, an organization may\n                                                                                                            2006, 2012: EDA\n                                The processes and tools used to       not be able to track\n                                                                                                            did not monitor\n          Auditing and          detect the use of systems and         unauthorized access to\n                                                                                                            for suspicious\n          Monitoring            information by an unauthorized        components and information,\n                                                                                                            activity in its\n                                user or external attackers            follow an attacker\xe2\x80\x99s activities, or\n                                                                                                            systems.\n                                                                      reconstruct what happened\n                                                                      when an incident occurs.\n                                                                                                            2006, 2010,\n                                                                      Without the appropriate               2012: EDA\xe2\x80\x99s\n                                                                      assessment of security                assessment\n                                                                      mechanisms, organizations will        methodologies\n                                Assessments performed to              not have an accurate picture of       did not\n          Security\n                                determine the extent of security      the risks to the system and           appropriately\n          Assessments\n                                mechanism implementation              management will not have the          identify\n                                                                      information necessary to make         deficiencies or\n                                                                      appropriate risk-based                convey risks to\n                                                                      decisions.                            operations and\n                                                                                                            information.\n        Source: OIG FISMA reviews from 2006, 2010, and 2012 and NSA\xe2\x80\x99s 2009 review\n        a Not all security mechanisms were assessed in the course of each OIG FISMA review or in NSA\xe2\x80\x99s 2009 review.\n        b Prior to May 2011, EDA\xe2\x80\x99s systems had not been scanned for almost a year. When scans resumed, they identified\n\n        over 35,000 potential vulnerabilities. Scans performed in December 2011, just prior to the incident, indicated that\n        EDA was struggling to remediate these vulnerabilities. OIG\xe2\x80\x99s post-incident review found 37 percent (56 of 151) of the\n        vulnerabilities highlighted by the NSA in 2009 still exist\xe2\x80\x94the NSA asserted in its incident response report that EDA\n        did not address remediation recommendations from the NSA\xe2\x80\x99s 2009 assessment of EDA\xe2\x80\x99s IT systems.\n\n        EDA\xe2\x80\x99s current CIO joined the organization in April 2011. The CIO inherited an IT\n        security program suffering from longstanding and significant security deficiencies. For\n        example, the CIO briefed EDA leadership that (1) EDA IT staff lacked appropriate IT\n        security skills, (2) system configuration management and secure configurations were not\n        implemented, and (3) systems were not appropriately monitored.\n\n\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                                   8\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                OFFICE OF INSPECTOR GENERAL\n\n              The Department and EDA15 knew of EDA\xe2\x80\x99s many IT security program deficiencies;\n              therefore, they more readily believed there was a widespread malware infection.\n              Further, when external incident responders analyzed the incident, they too observed\n              pervasive deficiencies\xe2\x80\x94the result of too few implemented IT security mechanisms.\n              Their observations further reinforced the credibility of a widespread malware infection.\n              Furthermore, the pervasive deficiencies led the Office of the Chief Information Officer\n              (OCIO) and EDA not to question the accuracy of the extent of the malware infection,\n              despite a lack of supporting evidence.\n\n       D.\t EDA Sought Validation of a Sophisticated Cyber Attack\n\n              EDA hired a cybersecurity contractor\xe2\x80\x94in addition to other external agencies already\n              responding to the incident\xe2\x80\x94to perform an in-depth evaluation of the malware infection\n              in its systems. EDA\xe2\x80\x99s CIO and senior leadership were specifically concerned about\n              nation-state actors16 and the presence of extremely persistent malware that would\n              prohibit typical containment measures, such as reimaging infected components for\n              immediate use.\n\n              On January 30, 2012, EDA\xe2\x80\x99s cybersecurity contractor began looking for suspicious\n              activity and malware infections. Preliminary analysis found indications of extremely\n              persistent malware and suspicious activity on EDA\xe2\x80\x99s components. EDA immediately\n              acted upon this preliminary information and began an investigation of its entire IT\n              component inventory for potential infections.\n\n       E.\t External Incident Responders Found No Evidence of a Widespread Malware Infection or\n           Extremely Persistent Malware\n\n              Within 2 weeks of beginning its incident response activities, EDA\xe2\x80\x99s cybersecurity\n              contractor found the initial indications of extremely persistent malware were false\n              positives\xe2\x80\x94not actual malware infections. However, EDA\xe2\x80\x99s CIO sought guaranteed\n              assurance that the components were infection-free and no malware could persist.\n              External incident responders were unable to provide the assurance EDA\xe2\x80\x99s CIO sought,\n              because doing so involved proving that an infection could not exist rather than that one\n              did not exist. By April 16, 2012, despite months of searching, EDA\xe2\x80\x99s cybersecurity\n              contractor was unable to find any extremely persistent malware or indications of a\n              targeted attack on EDA\xe2\x80\x99s systems. Further, the NSA and US-CERT did not find nation-\n              state activity or extremely persistent malware.\n\n              On May 15, 2012, EDA\xe2\x80\x99s management determined that the forensics investigation was\n              unlikely to yield new evidence and instead focused on cleaning its data17 and other\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n15\n   The Department\xe2\x80\x99s annual internal IT reviews have identified IT security deficiencies in EDA\xe2\x80\x99s IT security\nprogram.\n16\n   Nation-state actors are hackers acting on behalf of a nation\xe2\x80\x99s government to engage in nefarious activity, such as\ncyber war and theft of intellectual property.\n17\n   Cleaning involves using several antivirus products to scan data files for indications of an infection.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                           9\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                           OFFICE OF INSPECTOR GENERAL\n\n              recovery activities. Ultimately, incident responders identified only six components18 with\n              malware infections. These malware infections could have been remediated using typical\n              containment measures (e.g., reimaging), which normally have a minimal operational\n              impact. Additionally, EDA\xe2\x80\x99s cybersecurity contractor\xe2\x80\x99s data cleaning efforts did not\n              identify any additional components with a malware infection (the contractor did identify\n              the existence of common malware contained in archived e-mail attachments and\n              temporary Internet browser files19). Typically, antivirus software prevents common\n              malware from executing; as a result, the contractor did not consider the malware a\n              threat to EDA\xe2\x80\x99s components.\n\n              Given EDA\xe2\x80\x99s history of common malware infections (the NSA identified common\n              malware on EDA\xe2\x80\x99s IT systems in its 2009 review), there was a high probability that\n              external incident responders would find some malware infections when investigating\n              EDA\xe2\x80\x99s incident. In fact, EDA\xe2\x80\x99s lack of implemented IT security and the significant number\n              of easily exploitable vulnerabilities negated an attacker\xe2\x80\x99s need to use costly attack\n              techniques (sophisticated cyber attacks) to compromise EDA\xe2\x80\x99s systems. EDA\xe2\x80\x99s deficient\n              IT security posture made it likely that external incident responders would find common\n              malware. In the end, nothing identified on EDA\xe2\x80\x99s components posed a significant risk to\n              EDA\xe2\x80\x99s operations.\n\n              However, EDA\xe2\x80\x99s CIO concluded that the risk, or potential risk, of extremely persistent\n              malware and nation-state activity (which did not exist) was great enough to necessitate\n              the physical destruction of all of EDA\xe2\x80\x99s IT components.20 EDA\xe2\x80\x99s management agreed\n              with this risk assessment and EDA initially destroyed more than $170,000 worth of its\n              IT components,21 including desktops, printers, TVs, cameras, computer mice, and\n              keyboards. By August 1, 2012, EDA had exhausted funds for this effort and therefore\n              halted the destruction of its remaining IT components, valued at over $3 million. EDA\n              intended to resume this activity once funds were available. However, the destruction of\n              IT components was clearly unnecessary because only common malware was present on\n              EDA\xe2\x80\x99s IT systems.\n\nConclusion\n\n       Since EDA did not validate the information (e.g., number of infected components and\n       potentially spreading malware infection) it used to make its key decisions, it unnecessarily\n       expended a large portion of its IT budget and many months investigating its incident and\n       planning for the recovery of its IT systems. Despite only finding common malware\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n18\n   External incident responders identified six infected components, two with rootkits (software that enables a\npersistent infection) and four with common malware\xe2\x80\x94including the two components DOC CIRT identified.\n19\n   Web browsers store on the IT component\xe2\x80\x99s hard drive the information downloaded from each Web page\nvisited to enhance browser performance. Although the industry labels this information \xe2\x80\x9ctemporary,\xe2\x80\x9d the\ninformation remains on the component\xe2\x80\x99s hard drive until manually deleted.\n20\n   Prior to the incident, EDA purchased laptops intended as replacements for its current desktop and laptop\nenvironment. Because these new laptops had not been operational, EDA could incorporate them into its new IT\nsystems.\n21\n   EDA tracks the acquisition value, rather than the depreciated value, of its components.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                    10\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                       OFFICE OF INSPECTOR GENERAL\n\n         infections, EDA\xe2\x80\x99s management and CIO remained convinced that there could be extremely\n         persistent malware somewhere in EDA\xe2\x80\x99s IT systems.\n         To recover from its perceived widespread malware infection, EDA took the following \n\n         significant recovery steps:\n\n            \xef\x82\xb7\t Employed a cybersecurity contractor to investigate the malware infection and ensure\n               its important data was free of malware\n            \xef\x82\xb7\t Entered into an agreement with the Census Bureau to provide EDA with an interim,\n               minimalistic IT solution22\n            \xef\x82\xb7\t Physically destroyed IT components to ensure that a potential infection could not\n               persist\n            \xef\x82\xb7\t Employed a contractor to assist in the development of a long-term recovery solution\n     EDA expended more than $2.7 million\xe2\x80\x94over half of EDA\xe2\x80\x99s FY 2012 IT budget (see table 2\n     below for expenditures and finding 3 for further discussion of recovery activities) in pursuit of\n     these recovery activities. EDA\xe2\x80\x99s persistent mistaken beliefs resulted in an excessive response\n     and ultimately unnecessary expenditure of valuable resources.\n\n                                       Table 2. Significant Recovery Activity Expenditures\n\n                                                               Activity                            Expenditurea\n\n            Cybersecurity contractor investigation of malware infection and data\n                                                                                                     $823,000\n            cleaning\n            Temporary infrastructure, pending long-term IT solution                                 $1,061,000\n                                                         b\n            Destruction of IT equipment                                                              $175,000\n            Contractor assistance for a long-term recovery solution                                  $688,000\n                                                                          TOTAL EXPENDITURES        $2,747,000\n\n     Source: Contracts from EDA\xe2\x80\x99s recovery efforts \n\n     a\n       All values in the table are rounded. \n\n     b\n       EDA paid $4,300 to destroy $170,500 in IT equipment\xe2\x80\x94these are rounded values. \n\n\n     II.\t      Deficiencies in the Department\xe2\x80\x99s Incident Response Program Impeded \n\n               EDA\xe2\x80\x99s Incident Response \n\n\n         Deficiencies in HCHB\xe2\x80\x99s incident response program (DOC CIRT) significantly contributed to\n         EDA\xe2\x80\x99s inaccurate belief that it experienced a widespread malware infection; consequently,\n         DOC CIRT and EDA propagated inaccurate information that went unidentified for months\n         after EDA\xe2\x80\x99s incident.\n\n         We found the following deficiencies in DOC CIRT\xe2\x80\x99s incident response activities:\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n22\n  EDA did not intend for the Census Bureau to provide a final IT recovery solution. Instead, the Census Bureau\nprovided an interim solution that met EDA\xe2\x80\x99s minimum operating requirements until EDA could develop a\npermanent solution.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                      11\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                          OFFICE OF INSPECTOR GENERAL\n\n           \xef\x82\xb7\t DOC CIRT\xe2\x80\x99s incident handlers did not follow the Department\xe2\x80\x99s incident response\n              procedures.\n           \xef\x82\xb7\t DOC CIRT\xe2\x80\x99s incident handler for EDA\xe2\x80\x99s incident did not have the requisite \n\n              experience or qualifications.23\n\n           \xef\x82\xb7\t DOC CIRT did not adequately coordinate incident response activities.\n\n       A.\t DOC CIRT Did Not Follow Incident Response Procedures\n\n              When responding to EDA\xe2\x80\x99s incident, DOC CIRT staff did not appropriately follow\n              incident response procedures. Specifically, DOC CIRT staff did not (1) properly\n              document the initial incident response activities, (2) establish the extent of the malware\n              infection, and (3) perform a required containment procedure.\n\n                      DOC CIRT did not properly document the initial incident response activities.\n                      We found DOC CIRT did not document its communications with EDA or record\n                      pertinent incident details like requests, actions taken, or analysis results. For\n                      example, the incident handler deleted the first incident notification showing 146\n                      potentially infected components and retained only the second incident notification\n                      showing 2 potentially infected components. Had the incident handler documented all\n                      information, per the Department\xe2\x80\x99s incident response procedures, it would have\n                      been more likely that other DOC CIRT staff or external incident responders could\n                      have identified the misunderstanding regarding the extent of the malware infection.\n                      As a result, EDA, the Department, and external incident responders would not have\n                      needed to expend resources to resolve a widespread malware infection that did not\n                      exist.\n\n                      DOC CIRT did not accurately establish the extent of the malware infection.\n                      We found that DOC CIRT staff did not appropriately establish the extent of the\n                      malware infection prior to proceeding with other incident response activities (e.g.,\n                      conducting forensic analysis). The Department\xe2\x80\x99s incident response procedures\n                      require that incident handlers establish the extent of an infection before proceeding\n                      with other incident response activities so that all involved in the incident response\n                      efforts can formulate realistic containment and mitigation strategies. Since DOC\n                      CIRT did not accurately establish the extent of EDA\xe2\x80\x99s incident, EDA\xe2\x80\x99s\n                      misunderstanding (e.g., EDA thought there were 146 infected components instead of\n                      only 2) influenced everyone\xe2\x80\x99s perception of the incident and contributed to EDA\xe2\x80\x99s\n                      unnecessary recovery and remediation activities.\n\n                      DOC CIRT did not appropriately perform a required containment procedure.\n                      When HCHB network staff correctly determined that US-CERT\xe2\x80\x99s alert involved two\n                      components, DOC CIRT\xe2\x80\x99s incident handler should have followed the Department\xe2\x80\x99s\n                      required containment procedure. Specifically, the incident handler should have\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n23\n  The Space and Naval Warfare Systems Command (SPAWAR), a Department of the Navy organization, provided\nthe OCIO cybersecurity technical support\xe2\x80\x94including an incident handler\xe2\x80\x94specified in an interagency agreement\nthat ended on February 8, 2012.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                             12\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                 OFFICE OF INSPECTOR GENERAL\n\n                      directed HCHB security operations center staff to block HCHB network activity\n                      associated with the malicious address identified in US-CERT\xe2\x80\x99s alert. Furthermore, on\n                      December 15, 2011, EDA reminded DOC CIRT\xe2\x80\x99s incident handler to block the\n                      malicious address. However, DOC CIRT did not initiate this action until January 24,\n                      2012, the same day EDA\xe2\x80\x99s systems were isolated from the HCHB network.\n\n       B.\t DOC CIRT\xe2\x80\x99s Inexperienced Staff Hindered EDA\xe2\x80\x99s Incident Response\n\n              DOC CIRT\xe2\x80\x99s inexperienced staff and inadequate knowledge of EDA\xe2\x80\x99s incident response\n              capabilities24 hindered its ability to provide adequate incident response services. DOC\n              CIRT\xe2\x80\x99s incident handler managing EDA\xe2\x80\x99s initial incident response activities had minimal\n              incident response experience, no incident response training, and did not have adequate\n              skills to provide incident response services. The lack of experience, training, and skills\n              led the incident handler to request the wrong network logging information (i.e., perform\n              the wrong incident analysis), which led EDA to believe it had a widespread malware\n              infection, and deviate from mandatory incident response procedures. The Department\xe2\x80\x99s\n              Office of the Chief Information Officer should have ensured that all DOC CIRT staff\n              met the Department\xe2\x80\x99s minimum incident response qualifications.\n\n              In addition, DOC CIRT staff did not understand that there was a preexisting\n              expectation of specific incident response services, as outlined in the service level\n              agreement (SLA) between the DOC CIRT and EDA. This agreement clearly states DOC\n              CIRT\xe2\x80\x99s obligated incident response services (e.g., investigation, forensics, and reverse\n              engineering) and defines EDA\xe2\x80\x99s incident response responsibilities (e.g., reporting\n              incidents and dealing with quarantined or deleted malware). Since DOC CIRT staff did\n              not understand this agreement, they inaccurately assumed EDA was capable of\n              performing its own incident analysis activities (e.g., determining the extent of the\n              malware infection).\n\n       C.\t DOC CIRT Did Not Adequately Coordinate EDA\xe2\x80\x99s Incident Response Activities\n\n              DOC CIRT is responsible for coordinating incident response efforts (e.g., dissemination\n              of information and coordination of incident response activities). However, DOC CIRT\n              did not effectively coordinate EDA\xe2\x80\x99s incident response activities. The inadequate\n              coordination resulted in haphazard communications, in which external incident\n              responders received minimal direction. As a result,\n                  \xef\x82\xb7\t External incident responders performed redundant forensics analysis on the same\n                     components. External incident responders unnecessarily and wastefully expended\n                     resources to develop the same conclusions.\n                  \xef\x82\xb7\t The quality of EDA\xe2\x80\x99s incident response suffered. DOC CIRT and EDA did not use\n                     external incident responders\xe2\x80\x99 technical knowledge and experience to their fullest\n                     potential.\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n24\n  Each Departmental bureau has designated incident responders and its own set of internal incident response\ncapabilities. The skill level (as gauged by an incident responder\xe2\x80\x99s training, certifications, and previous incident\nresponse experience) and the tools available within each bureau differ.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                         13\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                      OFFICE OF INSPECTOR GENERAL\n\n             \xef\x82\xb7\t Gaining a full understanding of EDA\xe2\x80\x99s incident was difficult. Inadequate coordination\n                resulted in undirected incident response efforts and uncoordinated distribution of\n                pertinent incident information, making it difficult to gain a holistic and unbiased\n                view of the incident.\n\nConclusion\n\n        OIG briefed the Department\xe2\x80\x99s CIO on weaknesses within the DOC CIRT that we identified\n        during our review of incident response activities. Accordingly, the Department has taken\n        actions to correct DOC CIRT\xe2\x80\x99s weaknesses. Specifically, the Department is taking steps to:\n         \xef\x82\xb7\t Ensure staff receive appropriate training\n         \xef\x82\xb7\t Update incident response procedures\n         \xef\x82\xb7\t Review services offered (including the needs and capabilities of each bureau)\n         \xef\x82\xb7\t Develop agreements with external agencies to provide incident response expertise\n         \xef\x82\xb7\t Hire experienced incident handlers\n\n III.      Misdirected Efforts Hindered EDA\xe2\x80\x99s IT System Recovery\n\n        Based on EDA\xe2\x80\x99s erroneous belief that it had a widespread malware infection, and its\n        incorrect interpretation of recovery recommendations, EDA focused its recovery efforts on\n        replacing its IT infrastructure and redesigning its business applications. EDA should have\n        concentrated its resources on quickly and fully recovering its IT systems (e.g., critical\n        business applications) to ensure its operational capabilities.\n\n        Our review of EDA\xe2\x80\x99s recovery activities found the following:\n\n         \xef\x82\xb7\t EDA decided to replace its entire IT infrastructure based on its incorrect \n\n            interpretation of recovery recommendations. \n\n\n         \xef\x82\xb7\t EDA\xe2\x80\x99s recovery efforts were unnecessary.\n\n        A.\t EDA Acted on Its Incorrect Interpretation of Recovery Recommendations\n\n           EDA received similar recovery recommendations from NSA and DHS that focused on\n           quickly recovering IT services (e.g., reimaging infected components), implementing\n           security mechanisms and best practices, and monitoring its recovered IT systems for\n           suspicious activity. These recovery recommendations, conventional practices used to\n           recover from a cyber incident, were appropriate for EDA\xe2\x80\x99s recovery.\n\n           EDA\xe2\x80\x99s continued belief in the necessity of permanent remediation actions (i.e.,\n           destroying its IT components) and a significant malware infection contributed to EDA\n           incorrectly interpreting the recovery recommendations. EDA erroneously interpreted\n           one of DHS\xe2\x80\x99s draft recommendations\xe2\x80\x94\xe2\x80\x9ca complete network rebuild is\n           recommended\xe2\x80\x9d\xe2\x80\x94as both prescriptive guidance and direct support for its decision to\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                       14\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                          OFFICE OF INSPECTOR GENERAL\n\n              replace its entire IT infrastructure. However, DHS\xe2\x80\x99s full draft recommendation advised\n              EDA to reimage all IT components and implement required security measures,\n              effectively rebuilding its network. Neither DHS\xe2\x80\x99s nor NSA\xe2\x80\x99s recommendations provided\n              a basis for EDA\xe2\x80\x99s decisions to replace its IT infrastructure and destroy its IT\n              components.\n\n       B.\t EDA\xe2\x80\x99s Recovery Efforts Were Unnecessary\n\n              Despite recovery recommendations from DHS and NSA advising EDA to focus on\n              quickly and fully recovering its IT systems, EDA focused instead on building a new,\n              improved IT infrastructure and redesigning its business applications. In September 2012\n              (8 months after isolation), EDA leadership presented to the Commerce IT Review\n              Board (CITRB) a request to reprogram funds to carry out its recovery efforts; the\n              CITRB did not approve EDA\xe2\x80\x99s request.25 EDA estimated it would need over $26 million\n              disbursed in the next 3 years (an increase from $3.6 million to approximately $8.83\n              million, or about 2.5 times more, to the bureau\xe2\x80\x99s average annual IT budget) to fund its\n              recovery efforts. However, EDA\xe2\x80\x99s intended recovery efforts\n\n                  \xef\x82\xb7\t Had a fundamental flaw in acquiring funding. EDA leadership did not understand that\n                     the funds it requested to reprogram\xe2\x80\x94over $17 million originally designated for\n                     public works and disaster recovery\xe2\x80\x94would actually need to be \xe2\x80\x9crepurposed.\xe2\x80\x9d26\n                  \xef\x82\xb7\t Had an unrealistic time frame for acquiring requested funding. The request\xe2\x80\x99s time\n                     frame would have required EDA to gain approval by October 2012 in order to\n                     maintain the intended schedule. This was an extremely aggressive time frame,\n                     given the process (in which CITRB approval was the first step) and time necessary\n                     to attain proper clearance to use the funds.\n                  \xef\x82\xb7\t Would leave EDA reliant on a less effective grants management process. EDA users\n                     would only have limited access to critical business applications. EDA was not\n                     scheduled to complete development of replacement applications until the end of\n                     FY 2014 (more than 2 years after isolation).\n\n                  \xef\x82\xb7\t Conflicted with the Department\xe2\x80\x99s ongoing development of a grants management shared\n                     service. EDA\xe2\x80\x99s request for funding to redesign its business applications overlapped\n                     with the Department\xe2\x80\x99s development of a grants management shared service.\n\n              Further, the following contradicted the direction of EDA\xe2\x80\x99s recovery efforts:\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n25\n   The CITRB provides oversight, review, and advice to the Secretary and Deputy Secretary on both IT and non-IT\ninvestments that meet certain criteria. This advice includes recommendations for approval or disapproval of\nfunding for new systems and investments, as well as major modifications to existing systems and investments.\n26\n   According to EDA, it would have needed Departmental and OMB approval of its request to fund its recovery\nefforts before presenting the request to Congress. EDA would also have needed to request that Congress change\nthe law dictating the original purpose and use of the funds requested.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                15\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                            OFFICE OF INSPECTOR GENERAL\n\n                  \xef\x82\xb7\t External incident responders identified only common malware that could be easily\n                     mitigated. As a result, there was no need for EDA to destroy or replace existing IT\n                     components.\n\n                  \xef\x82\xb7\t NSA found no malware infection in the servers hosting EDA\xe2\x80\x99s primary business\n                     application. Additionally, there was no evidence to suggest that EDA\xe2\x80\x99s primary\n                     business application had been targeted by a cyber attack or maliciously altered\xe2\x80\x94\n                     thus, EDA could have put the application back into full operation.\n\nConclusion\n\n       Although EDA intended to use federal government shared services or outsourced\n       commercial services during its recovery efforts, EDA had not finalized a recovery solution.\n       Further, the Department had existing shared IT services (e.g., image for rebuilding infected\n       components, enterprise e-mail, and help desk services) that were readily available to EDA.\n       However, only after OIG informed the Department and EDA that there was no widespread\n       malware infection, and therefore no significant incident, did the Department and EDA enact\n       a swift recovery of EDA\xe2\x80\x99s IT systems using the Department\xe2\x80\x99s shared services.\n\n       Once it started recovery efforts in February 2013, the Department needed only a little\n       longer than 5 weeks to restore EDA\xe2\x80\x99s former operational capabilities.27 By comparison,\n       EDA\xe2\x80\x99s incomplete efforts spanned almost a year. Specifically, the Department provided EDA\n       with enterprise e-mail, account management services, help desk support services, and a\n       securely configured and uniform image for its laptops. Additionally, the Department\n       restored EDA users\xe2\x80\x99 access to critical business applications.\n\n       For the time being, EDA will retain responsibility for maintaining its business applications;\n       however, it may in the future use the Department\xe2\x80\x99s grants management services. With the\n       Department developing and maintaining the IT systems, there is a greater likelihood that the\n       Department will appropriately implement the required security measures (e.g., secure\n       configurations, auditing and monitoring, and patch management) that EDA struggled to\n       implement. Fortunately, for EDA, its involvement in the Department\xe2\x80\x99s shared services\n       initiatives not only restored its critical IT systems and business applications, but should also\n       reduce its IT budgetary requirements.\n\n\xc2\xa0\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n27\n     EDA\xe2\x80\x99s previous access to NOAA\xe2\x80\x99s financial system has yet to be restored.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                           16\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                OFFICE OF INSPECTOR GENERAL\n\n\nRecommendations\n    We recommend that the Deputy Assistant Secretary for EDA:\n\n      1.\t Identify EDA\xe2\x80\x99s areas of IT responsibility and ensure the implementation of required\n          security measures.\n\n      2.\t Determine whether EDA can reduce its IT budget and staff expenditures, through the\n          increased efficiencies of EDA\xe2\x80\x99s involvement in the Department\xe2\x80\x99s shared services.\n\n      3.\t Ensure that EDA does not destroy additional IT inventory that was taken out of\n          service as a result of this cyber incident.\n\n    We recommend that the Department\xe2\x80\x99s Chief Information Officer:\n\n      1.\t Ensure DOC CIRT can appropriately and effectively respond to future cyber incidents.\n\n      2.\t Ensure incident response procedures clearly define DOC CIRT as the incident\n          response coordinator for the bureaus relying on DOC CIRT\xe2\x80\x99s incident response\n          services.\n\n      3.\t Ensure that DOC CIRT management has proper oversight and involvement in cyber\n          incidents to ensure that required incident response activities take place.\n\n\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                   17\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                OFFICE OF INSPECTOR GENERAL\n\n\nSummary of Agency and Departmental\nResponses and OIG Comments\nThe Deputy Assistant Secretary of Commerce for Economic Development and the\nDepartment\xe2\x80\x99s Chief Information Officer (CIO) provided written responses to a draft of this\nreport (see appendixes C and D). We provide summaries of these responses and our\ncomments below.\n\nEDA Response\n\nThe Deputy Assistant Secretary of Commerce for Economic Development concurred with our\nrecommendations and noted that EDA has begun implementation of the recommendations.\n\nEDA also noted that (1) EDA\xe2\x80\x99s focus has been to fully and efficiently recover its IT systems, (2)\nit has been abundantly cautious in its efforts to protect its staff, other Department systems,\ngrantees, clients, and other federal partners, (3) it continued to conduct and complete its\nimportant work on time despite the interruption, and (4) it worked closely with the Census\nBureau for an interim recovery solution and, more recently, leveraged the Department\xe2\x80\x99s shared\nservices. EDA\xe2\x80\x99s response identified corrective actions it has taken and plans to take to\nimplement our recommendations.\n\nEDA stated in its response that it \xe2\x80\x9cappreciates the Office of Inspector General\xe2\x80\x99s (OIG)\ncomprehensive review and continued involvement from the very early days of the incident\nwhen EDA proactively requested OIG\xe2\x80\x99s review of the matter.\xe2\x80\x9d While we initiated this audit at\nthe request of the former Acting Deputy Secretary of Commerce, we appreciate EDA\xe2\x80\x99s\ncooperation throughout our audit.\n\nIn its response, EDA noted that its long-term recovery plan already included greater use of\nshared services by leveraging Department-wide IT assets. However, prior to our briefing on\nDecember 18, 2012, EDA had not finalized a recovery solution, such as using the Department\xe2\x80\x99s\navailable shared services.\n\nDepartment CIO Response\n\nThe Department\xe2\x80\x99s CIO concurred with our recommendations related to DOC CIRT, noting\nthat the Department has initiated a comprehensive incident response improvement project.\nThe CIO further stated that the following project milestones have already been completed: (1)\nconducting a third-party assessment of the DOC CIRT policies, procedures, and capabilities; (2)\nhiring experienced and certified incident handlers; and (3) implementing an improved incident\ntracking system.\n\nIn addition, the Department\xe2\x80\x99s CIO stated that, within the past 6 months, the OCIO and the\nOffice of the Secretary (OS) IT Operations worked closely with EDA to restore its\nfunctionality by bringing EDA\xe2\x80\x99s grants management system online and bringing EDA\xe2\x80\x99s office\nautomation and IT service desk under the OS Information Technology Services.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                  18\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                 OFFICE OF INSPECTOR GENERAL\n\n\nAppendix A: Objectives, Scope, and\nMethodology\nOur objective was to evaluate EDA\xe2\x80\x99s information security program and its recovery activities in\nrelation to EDA\xe2\x80\x99s cyber incident. We (1) assessed the effectiveness of EDA\xe2\x80\x99s IT security\nprogram, (2) determined the significant factors that contributed to the incident, and (3)\nevaluated both completed and planned activities to recover its information systems to support\ncritical operational requirements. To do so, we\n\n  \xef\x82\xb7\t Reviewed system-related artifacts, including policy and procedures, planning documents,\n     and other material supporting the security authorization process\n\n  \xef\x82\xb7\t Reviewed artifacts related to EDA\xe2\x80\x99s incident, including incident reports, forensic analysis,\n     logs, written communications, and other incident documentation\n\n  \xef\x82\xb7\t Interviewed operating unit and Department OCIO personnel, including system owners, IT\n     security officers, IT administrators, external incident responders, and organizational\n     directors and administrators regarding the security and operation of EDA\xe2\x80\x99s IT systems\n     and the incident\n\nWe also reviewed EDA\xe2\x80\x99s compliance with the following applicable provisions of law,\nregulations, and mandatory guidance:\n\n  \xef\x82\xb7\t The Federal Information Security Management Act of 2002\n\n  \xef\x82\xb7\t Information Technology Security Program Policy, U.S. Department of Commerce,\n     introduced by the Chief Information Officer on March 9, 2009, and applicable Commerce\n     Information Technology Requirements\n\n  \xef\x82\xb7\t NIST Federal Information Processing Standards Publications\n\n      o\t 199, Standards for Security Categorization of Federal Information and Information\n         Systems\n\n      o\t 200, Minimum Security Requirements for Federal Information and Information Systems\n\n    \xef\x82\xb7\t NIST Special Publications\n\n      o\t 800-34, Contingency Planning Guide for Federal Information Systems\n\n      o\t 800-37, Guide for Applying the Risk Management Framework to Federal Information\n         Systems\n\n      o\t 800-53, Recommended Security Controls for Federal Information Systems and\n         Organizations\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                       19\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                               OFFICE OF INSPECTOR GENERAL\n\n      o 800-53A, Guide for Assessing the Security Controls in Federal Information Systems\n\n      o 800-61, Computer Incident Handling Guide\n\n      o 800-70, Security Configuration Checklists Program for IT Products\n\nWe conducted our fieldwork from June 2012 to February 2013. We performed this audit\nunder the authority of the Inspector General Act of 1978, as amended, and Department\nOrganization Order 10-13, and in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on\nour audit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions.\n\n\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                 20\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                 OFFICE OF INSPECTOR GENERAL\n\n\nAppendix B: Detailed Timeline of EDA\xe2\x80\x99s Cyber\nIncident Response and Recovery\nCyber Incident\n\n12/6/2011        US-CERT notifies DOC CIRT of a cyber incident (components communicating\n                 with fake antivirus sites).\n\n12/7/2011        DOC CIRT sends EDA a first incident notification concerning US-CERT\xe2\x80\x99s alert.\n                 The notification contains an inaccurate list of 146 potentially infected\n                 components.\n\n12/8/2011        DOC CIRT sends EDA a second incident notification containing completed\n                 analysis that identified only two infected components.\n\n12/9/2011        EDA\xe2\x80\x99s ITSO informs EDA\xe2\x80\x99s CIO that EDA experienced a potential widespread\n                 malware infection.\n\n12/13/2011       EDA\xe2\x80\x99s ITSO requests forensic assistance from DOC CIRT and on 12/14/2011\n                 EDA provided DOC CIRT with the hard drives from two components that were\n                 exhibiting malicious behavior.\n\n12/15/2011       EDA asks DOC CIRT to block the malicious sites and addresses associated with\n                 the US-CERT alert.\n\n12/16/2011       EDA\xe2\x80\x99s CIO informs EDA\xe2\x80\x99s leadership that the malware infection is potentially\n                 widespread.\n\n1/18/2012        DOC CIRT notifies EDA that it identified a common malware infection on the\n                 two components EDA provided to DOC CIRT on 12/14/2011. DOC CIRT\n                 advises EDA to reimage the infected drives and put the remediated components\n                 back into operation. EDA informs DOC CIRT that it cannot do this because\n                 there are too many infected components.\n\n1/20/2012        EDA\xe2\x80\x99s CIO notifies EDA\xe2\x80\x99s user base of the malware infection and advises that all\n                 users follow good security practices. DOC CIRT requests US-CERT\xe2\x80\x99s assistance\n                 and US-CERT arrives onsite.\n\n1/24/2012        EDA\xe2\x80\x99s CIO believes that the e-mail server experienced a complete operational\n                 failure and, upon restoration, an antivirus scan showed multiple malware\n                 infections. EDA\xe2\x80\x99s CIO informed EDA\xe2\x80\x99s leadership (and the Department\xe2\x80\x99s Deputy\n                 CIO) of the need to isolate EDA from the HCHB network. EDA takes the\n                 following actions: disables its Microsoft Exchange e-mail server connection;\n                 disables Internet access; disables its connection with regional offices; and\n                 maintains local file-share service availability.\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                   21\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                     OFFICE OF INSPECTOR GENERAL\n\n1/27/2012        DOE and NIST incident responders assist onsite with the incident response.\n\n1/30/2012        EDA hires a cyber security contractor to assist at the EDA CIO\xe2\x80\x99s discretion. US-\n                 CERT issues a preliminary analysis report, which indicates the presence of\n                 common malware but no nation-state activity or extremely persistent malware.\n\n2/2/2012         The Department requests NSA\xe2\x80\x99s assistance to investigate the malware infection.\n\n2/3/2012         DOE releases its report detailing assessment results from an assessment of one\n                 component that indicated a common malware infection, but did not identify any\n                 nation-state activity or extremely persistent malware.\n\n2/7/2012         DHS issues a report that summarizes its findings and includes recommendations\n                 for remediating the infection and establishing good IT security practices.\n                 Additionally, the report used inaccurate information provided by DOC CIRT to\n                 portray EDA\xe2\x80\x99s incident as widespread.\n\n2/14/2012        NSA assists onsite with incident response activities.\n\n2/17/2012        NSA analysis of the Linux systems finds no evidence of an intrusion or malware\n                 infection.\n\n5/15/2012        NSA releases a report stating that EDA had a widespread common malware\n                 infection. NSA portrayed this information as fact, even though it did not\n                 independently validate the information it received from DHS. However, NSA did\n                 analyze EDA\xe2\x80\x99s Linux servers and found that the servers were not infected and\n                 there was no indication of nation-state activity or extremely persistent malware.\n\nRecovery\n\n1/24/2012        EDA operates its existing IT infrastructure in isolation during interim recovery\n                 activities in order to meet its deadlines for grants management.\n\n2/6/2012         EDA begins coordination with the Census Bureau on its interim recovery\n                 activities.\n\n2/14/2012        EDA establishes a Web presence and makes e-mail service available to a limited\n                 number of Blackberry users.\n\n3/25/2012        The Census Bureau restores Blackberry service for all EDA staff and EDA\n                 completes the distribution of laptops to all users. This provides office\n                 automation capabilities, e-mail services, and Internet access for all users.\n\n4/5/2012         EDA provides users access to a stand-alone implementation of its business\n                 applications, which contains historical data necessary to complete its mission\n                 activities.\n\n\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                       22\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                     OFFICE OF INSPECTOR GENERAL\n\n5/15/2012        EDA stops its forensic analysis activities and switches to full-time data cleaning,\n                 involving the use of several antivirus products to scan data files for indications of\n                 an infection. The cybersecurity contractor did not identify any additional\n                 components with a malware infection (the contractor did identify the existence\n                 of common malware contained in archived e-mail attachments and temporary\n                 Internet browser files).\n\n9/5/2012         EDA presents a request to the Commerce IT Review Board (CITRB) for funding\n                 to carry out its recovery efforts. The CITRB does not approve EDA\xe2\x80\x99s request,\n                 necessitating changes to the intended recovery efforts.\n\n2/6/2013         OCIO begins restoration of EDA\xe2\x80\x99s IT systems.\n\n3/15/2013        OCIO restores EDA\xe2\x80\x99s IT operations, including restoring access for all users to\n                 its critical grants management applications.\n\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                        23\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                OFFICE OF INSPECTOR GENERAL\n\n\nAppendix C: Agency Response \n\n\n\n\n\n\xc2\xa0                               \xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-13-027-A                               24\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                                                     \xc2\xa0\n\n\xc2\xa0                               \xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-13-027-A                               25\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                                 OFFICE OF INSPECTOR GENERAL\n\n\n\n             ~lt:MORANDUM HlR ASSISliiNT I\'~ PECTOR GENERAL roR SYSTEM ACQIJISI110\'1 M\xc2\xb7D 11 SI:.C\'IIRil Y\n             Jun< 12. 2013\n             P~~ge I of 2\n\n\n\n             Attachment\n\n             In response to the 20 ll cyber incident, EDA took proactive measures to increase the security and\n             efficiency of its Information and Technology (IT) system: ensure quality service to all its\n             stakeholders and clients; and enable accow1tability by requesting the Oflice of lnsp....--ctor General\n             (OIG) evaluate the agency\'s response and recovery activities.\n\n\n             RccQmmendation I: Identify EDA\'s areas of IT responsibility a nd en ure th e\n             implementation of required security measures.\n\n             EDA Response:              EDA agrees with this recommendation.\n\n             Corrective Ac.:tion To Date:\n\n                   l.        EDA transferred a majority of its IT responsibilities to the Department of Commerce\n                             (DOC). Oftice of Chief Infonnation Officer (OCIO). In addition. EDA \xc2\xb7sLoan Billing\n                             and Managing System (LBMS) has been transferred to the National Oceanic and\n                             Atmospheric Administration (NOAA). The c actions have resulted in a significantly\n                             more eflicicnt and higher level of overall IT operations and security.\n\n                             EDA has identified two remaining areas of IT responsibi lity: Operations Planning and\n                             Control System (OPCS) and the Revolving Loan Fund Management System\n                             (RLFYIS). EDA has maintained a high\xc2\xb7 leve l of security with each of these systems\n                             and will continue to do so as the agency works with OAA to transfer system\n                             funct ionality to NOAA\'s secure environment.\n\n                  2.         EDA has implemented a program to increase the security trai ning and capabilities of\n                             all staff. especially the agency\' s IT staff. By October 2012. EDA had successfully\n                             ensured that eight of its I I OfT e mployees had achieved DOC IT ecurity Role\n                             Cenitications. With these ceni fication . EDA has achieved I00 percent compliance\n                             "ith the DOC IT Security Role Ceni fications. In addition. EDA has currently\n                             completed 94 percent of the required FY 2013 IT Security Role-Based Training for\n                             all of the agency\'s staff members and expects to reach 100 percent prior to the June\n                             30 deadline.\n\n             Continued Action:\n\n                   I.        EDA will contiJ1UC its current work with NOAA 10 transfer its remaining two areas of\n                             IT responsibility, OPCS and RLFMS. to NOAA\'s secure environment.\n\n                  2.         EDA and the DOC will reinstate the Oversight leering Committee to review and\n                             provide guidance on IT security.\n\n                                                                                                                      \xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                                26\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                             OFFICE OF INSPECTOR GENERAL\n\n\n\n             O,l f MORANDIJM fOR D~ PlrrY 11\'-SP~C: I OR GE ... ERAl ~OR AIJDI rAND EVALUATION\n             J~n< 11. 2013\n             Page 2 ol 2\n\n             Recommendation 2: Determine whether EDA can reduce its IT b udget and staff\n             expenditures, through the increased efficiencies of EDA \'s involvement in the Department\'s\n             shared services.\n\n             El)A Response:              EDA agrees with this recommendation.\n\n             Corrective Action To Date:\n\n                 EDA has carefully revie wed its IT expenditures since the 20 II cyber incident: and through\n                 it usc of shared services, has increased the efficiency and security of its IT system. EDA \'s\n                 previously established long-tenn recovery plan already included greater use of shared\n                 services by leveraging existing or planned dcpanmcnt-wide (including other bureau) IT\n                 assets. As cost efficiencies are generated from its implementation of shared services. EDA \'s\n                 first priority will be to continue its work with the Depanment and bureaus to ensure that all\n                 required and recommended security processes. procedures. software and services are fully\n                 implemented.\n\n             Continued Action:\n\n                  EDA and the Depanment will reinstate the Oversight Steering Committee to review and\n                  provide g uidance on IT cost savings and increased efficiencies.\n\n\n             Recommendation 3: Ensure that EDA docs not d estroy additiona l IT invento ry that was\n             ta ken out of scn ,icc as a result of this c:ybcr incident.\n\n             E DA    l~cs po n se:       EDA agrees w ith this recommenda tion.\n\n             Corrective Action To Date:\n\n                  In an effon to secure its IT system due to the cyber incident. EDA replaced its IT\n                  components with eq uipment on loan from the Bureau o f the Census. Upon migration of our\n                  IT operations to the DOC HCHB network, EDA installed new equipment that had been\n                  purchased Brim: to the cyber incident. Prior to the cyber incident. EDA had planned to clean\n                  and surplus desktop computers and servers scheduled for replacement. As a result of this\n                  repon and because very little of this equipment has been destroyed. EDA is able to continue\n                  this planned action.\n\n             Continued Action :\n\n                  EDA still posse ses 96 percent of its replaced inventory and intends to either put that\n                  inventory back into service or surplus the items.\n\n                                                                                                                  \xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-13-027-A                                                                                            27\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                            OFFICE OF INSPECTOR GENERAL\n\n\nAppendix D: Departmental Response \n\n\n\n\n\n011200000142 \n\n\n\nFINAL REPORT NO. OIG-13-027-A                           28\n\x0c'